search

probot / adapter-github-actions

:electric_plug: An adapter that takes a Probot app and makes it compatible with GitHub Actions
ISC License
87 stars 19 forks source link

Update vulnerable dependencies - using `npm audit` #47

Closed jamacku closed 2 years ago

jamacku commented 2 years ago

As described in #46, adapted-github-actions has transitive dependency on got@9.6.0 package. In this version of the package is known vulnerability, see CVE-2022-33987.

Note: I have just run npm audit fix and run the test suite using npm run test.

Audit report:

  # npm audit report

  got  <11.8.5
  Severity: moderate
  Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
  fix available via `npm audit fix`
  node_modules/got
    package-json  <=6.5.0
    Depends on vulnerable versions of got
    node_modules/package-json
      latest-version  0.2.0 - 5.1.0
      Depends on vulnerable versions of package-json
      node_modules/latest-version
        update-notifier  0.2.0 - 5.1.0
        Depends on vulnerable versions of latest-version
        node_modules/update-notifier
          probot  9.9.0 - 12.2.4
          Depends on vulnerable versions of update-notifier
          node_modules/probot

  5 moderate severity vulnerabilities

Attempting to fix: #46

gr2m commented 2 years ago

should be fixed via 9021186, thanks! Thanks for sending a PR, but I prefer to update lock files myself as it's to easy to miss an injection of unwanted code in such a large diff

jamacku commented 2 years ago

@gr2m I understand, thanks for fix. :+1: